[Openswan Users] Problems with openswan tunnel on Fedora

Paul Wouters paul at xelerance.com
Tue Aug 24 19:13:06 CEST 2004

On Tue, 24 Aug 2004, Matthew Claridge wrote:

> I have transferred this working configuration onto a new box running Fedora 
> Core 2 and just changed the 'left' ip addresses. This box has been running

I assume you also changed the "left" ip address on the Cisco end?

> "ignoring informational payload, type PAYLOAD_MALFORMED"

It seems openswan expects plaintext isakmp negotiation messages, while
getting crypted 'established' messages.

> "encrypted Informational Exchange message is invalid because it is for 
> incomplete ISAKMP SA"

The last line normally means that two instances of isakmp are competing against
each other, or that one end thinks the isakmp negotiation succeeded (and goes 
crypto) while the other end does not (and wants plaintext and refuses crypto).

Sometimes this happens when one end reboots/reloads and the other end still 
has an isakmp SA established. Sometimes this happens when both ends initiate
and respond interleaved. This last can be prevented by telling openswan to 
use auto=add instead of auto=start, so that it becomes a passive responder only.

Did you update your cisco configuration if it is not treating the openswan end as
roadwarrior? Did you reload the connection if you changed it?


More information about the Users mailing list